Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting, reporting & investigating data breaches under GDPR

Published byGeorgina Anthony Modified over 6 years ago

Similar presentations

Presentation on theme: "Detecting, reporting & investigating data breaches under GDPR"— Presentation transcript:

1 Detecting, reporting & investigating data breaches under GDPR
Stacey Egerton – Senior Policy Officer Data Protection reform in local government Manchester 1

2 Introduction What is a data breach? Investigating and notifying
Exercise – what data breaches may need to be notified Good practice – how to get it right Guidance

3 What is a personal data breach?

4 More than just losing personal data!

5 A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Article 4(12)

6 Previous opinion from WP29 categorises breaches according to 3 well known information security principles….. Confidentiality Availability Integrity

7 Art 34 – notifying individuals
Art 33 – notifying the ICO Art 34 – notifying individuals Requirement to notify breaches to the ICO where it is likely to result in a risk to peoples rights and freedoms Requirement to communicate a breach to data subjects where it is likely to result in a high risk to peoples rights and freedoms. Communication is not required if you meet the conditions in Art 34(3)).

8 Without undue delay 72 hours

9 Once a data controller becomes aware - immediate risk assessment will be crucial to establish the likelihood and severity of the risk to peoples rights and freedoms.

10 Risk assessment criteria (WP29 guidance)
The type of breach Nature, sensitivity and volume of the personal data involved Ease of identification of individuals Severity of consequences for individuals Special characteristics of the individual Number of affected individuals Remember - focus of risk in relation to breach reporting is on either the actual or potential negative consequences. How serious are they? How likely are they to happen? Assessed on a case by case basis.

11 Exercise – What data breaches may need to be notified to the ICO and communicated to individuals?

12 Article 33(3) details what information you must provide to the ICO when notifying a breach.

13 What if we don’t have all the required information yet?

14 Still report the breach as soon as you can after becoming aware of it (not later than 72 hours)
Explain any delay with the required information Tell us when you expect to be able to provide more information Prioritise any required investigation and provide the further information ASAP and without any further undue delay.

15 How can we notify a breach to the ICO?
Website form Breach notification Helpline Call us,

16 What else should I be aware of?
Data processors – Art 33(2) Keep a record of all data breaches – Art 33(5) Failure to notify – could result in a fine.

17 Good Practice

18 Prepare ☐ know how to recognise a personal data breach.
☐ allocate responsibility for managing breaches to a dedicated person or team. ☐ train staff to know how to recognise a security incident and who they should contact immediately ☐ prepare a response plan for addressing any personal data breaches that occur. .

19 Respond ☐ A process to assess the likely risk to individuals as a result of a breach. ☐ A process to notify the ICO of a breach within 72 hours ☐ A process to inform affected individuals about a breach when it is likely to result in a high risk ☐ Document all breaches, even if they don’t all need to be reported. know what information we must give the ICO about a breach. ☐ Evaluate the causes of the breach and effectiveness of response – learn from mistakes where possible

20 Guidance ICO – Guide to the GDPR Article 29 Working Party
Personal data breaches Security Accountability and governance Article 29 Working Party Guidelines on personal data breach notification

21

Download ppt "Detecting, reporting & investigating data breaches under GDPR"

Similar presentations

Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.

Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
The Information Commissioner’s Office David Evans.

The Information Commissioner’s Office David Evans.
Arkansas State Law Which Governs Sensitive Information…… Part 3B

Arkansas State Law Which Governs Sensitive Information…… Part 3B
AIMS To raise awareness of some of the issues To offer advice on solutions To identify what might be considered as ‘best practice’ To launch new Policies.

AIMS To raise awareness of some of the issues To offer advice on solutions To identify what might be considered as ‘best practice’ To launch new Policies.
New EU General Data Protection Regulation Conference 2016 Managing a Data Breach Prevention-Detection-Mitigation By Gerard Joyce Dun Laoghaire Feb 24 th.

New EU General Data Protection Regulation Conference 2016 Managing a Data Breach Prevention-Detection-Mitigation By Gerard Joyce Dun Laoghaire Feb 24 th.
CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.

CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.
Information Security TechLink Seminar, 17 April 2013 James Knapton, Information Compliance Officer, Registrary’s Office.

Information Security TechLink Seminar, 17 April 2013 James Knapton, Information Compliance Officer, Registrary’s Office.
Incident Report Form Training Presentation Risk Department 6 Sterne Road Tatchbury Mount Calmore SO40 2RZ 023 8087 4323.

Incident Report Form Training Presentation Risk Department 6 Sterne Road Tatchbury Mount Calmore SO40 2RZ
Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015.

Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
The Data Protection Act 1998

The Data Protection Act 1998
Data Protection Regulation

Data Protection Regulation
Brussels Privacy Symposium on Identifiability

Brussels Privacy Symposium on Identifiability
Tony Sheppard Mobile Guardian

Tony Sheppard Mobile Guardian
Disaster and Emergency Planning

Disaster and Emergency Planning
Overview General Data Protection Regulation (GDPR)

Overview General Data Protection Regulation (GDPR)
Running a Privacy Impact Assessment (PIA)

Running a Privacy Impact Assessment (PIA)
Data protection headaches: GDPR, brexit AND perimeter risk

Data protection headaches: GDPR, brexit AND perimeter risk

Similar presentations

Ads by Google